Nocturne uses a variant of Schnorr signatures over Baby Jubjub. The secret key is derived from the spending key sksk, and the public key is the spending public key PK\text{PK}.

Spelled out, signing takes as input a message hash mm and proceeds as follows:

  1. hSHA512(sk)h \leftarrow \text{SHA512}(sk)

  2. sh[0:32]s \leftarrow h[0:32](derive the signing secret key from the spending key)

  3. xh[32:64]x \leftarrow h[32:64](extract 32 bytes of entropy from the spending key)

  4. vrandomBytes(32)v \leftarrow \text{randomBytes}(32) (sample another 32 random bytes)

  5. nSHA512(x  v  m)modrFrn \leftarrow \text{SHA512}(x\ ||\ v\ ||\ m) \mod r \in \mathbb{F_r} ("reduce" hash output into Fr\mathbb{F}_r, using extra entropy from sksk addition to the rng)

  6. Rn×GR \leftarrow n \times G (the rest is a "standard" Schnorr signature)

  7. cH(PK.X  R.X  R.Y  m)c \leftarrow H(\text{PK.X}\ ||\ R.X\ ||\ R.Y\ ||\ m)

  8. znskcz \leftarrow n - \text{sk} \cdot c

  9. The signature is the pair (c,z)(c, z)

To verify, we take as input the message mm and signature (c,z)(c, z) and do the following (this is the standard verification procedure):

  1. Zz×GZ \leftarrow z \times G

  2. Pc×PKP \leftarrow c \times \text{PK}

  3. RZ+PR \leftarrow Z + P

  4. cpH(PK.X  R.X  R.Y  m)cp \leftarrow H(\text{PK.X}\ ||\ R.X\ ||\ R.Y\ ||\ m)

  5. Accept the signature if cp=ccp = c. Reject it otherwise.

Security Requirements

The signature scheme must be strongly unforgeable under chosen-message-attack (SUF-CMA).

Security Argument

Schnorr signature schemes are known to be secure under the discrete log assumption and the random-oracle model. In our case, it's secure based on the following assumptions:

  1. Poseidon is a random oracle

  2. The discrete log problem is infeasible in Baby Jubjub

Last updated